Cisco Systems OL-6426-02 manual

BETA DRAFT - CISCO CONFIDENTIAL

C H A P T E R 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

The Cisco 1800 series integrated services fixed-configuration routers support the creation of virtual private networks (VPNs).

Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints.

Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

The example in this chapter illustrates the configuration of a site-to-site VPN that uses IPSec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure 7-1shows a typical deployment scenario.

Figure 7-1 Site-to-Site VPN Using an IPSec Tunnel and GRE

8

	3		6
2	4	5	7

Internet

1

9

121783

1

2

3

4

5

6

Branch office containing multiple LANs and VLANs

Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)

VPN client—Cisco 1800 series integrated services router

Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)

LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

VPN client—Another router, which controls access to the corporate network

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

	OL-6426-02	7-1

Image 85

Cisco Systems OL-6426-02 manual Site-to-Site VPN Using an IPSec Tunnel and GRE

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Audience Preface Chapter Title Description OrganizationVPN Conventions Command ConventionsConvention Description Boldface Obtaining Documentation Related DocumentsCisco.com Cisco Product Security Overview Documentation FeedbackDocumentation DVD Ordering Documentation Obtaining Technical Assistance Reporting Security Problems in Cisco ProductsCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408 Definitions of Service Request Severity Submitting a Service Request Obtaining Additional Publications and Information Getting Started Page Interface Port Labels Basic Router ConfigurationRouter Interface Port Label ADSLoISDN Viewing the Default ConfigurationATM WAN Shdsl USB Modem Example 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration To configure the router, perform one or more of these tasks Configuring Basic Parameters Configure Fast Ethernet LAN Interfaces Configure Global ParametersCommand Purpose Example Configure the Fast Ethernet WAN Interface Configure WAN Interfaces Mode atm Exit Configure the ATM WAN InterfaceController dsl No shutdown Configuring a Loopback Interface Configure the Wireless InterfaceConfiguration Example Verifying Your Configuration Configuring Command-Line Access to the RouterPassword password Line aux console tty vty line-number Exec-timeout minutes seconds LoginEnd Exits router configuration mode, and enters Configuring Static RoutesPrivileged Exec mode Parameters that can be set, see the Cisco IOS IP Configuration Example Configuring Dynamic RoutesVerifying Your Configuration Command Task Configuring RIPRouter rip Version 1 Enters router configuration mode, and enables Configuring Enhanced IgrpEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routers Routerconfig# network Be applied, using the IP address of the networkSpecifies a list of networks on which Eigrp is to Configuring Your Router for Ethernet and DSL Access Page For Ethernet-Based Network Deployments Sample Network DeploymentsFor DSL-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Command or Action Purpose Configuration TasksVpdn enable PPPoE Request-dialin Configure the Fast Ethernet WAN InterfacesInitiate to ip ip-address Protocol l2f l2tp pppoe any These steps to configure one or both of them Cisco 1800 integrated services routers haveConfigures the PPPoE client and specifies Enables the Fast Ethernet interface Configure the Dialer Interface Exits the dialer 0 interface configuration Using a dialer group controls access toAssigns the dialer interface to a dialer group Your router Configure Network Address Translation Ip nat inside outside Access-list access-list-number deny permitSource source-wildcard Configuration Example Router# show ip nat statistics PPP over ATM with NAT Configuring PPP over ATM with NAT PPPoA Authentication Protocol Chap Sets the PPP authentication methodSpecifies that the IP address for the dialer Interface is obtained through PPP/IPCP IP Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Configuring Adsl Configure DSL Signaling ProtocolAttribute Description Default Value Verify the Configuration Configuring ShdslDsl lom integer Dsl enable-training-log Wire Line-mode 4-wire enhanced 4-wire standardIgnore-error-duration number Configure Network Address Translation About enabling static translation, see the Cisco Enables the configuration changes just made toFE2-FE9 reside to be the inside interface For NAT Exits configuration mode for the ATM interface Static translation, see the Cisco IOS IP CommandDefines a standard access list permitting addresses Identifies the specified WAN interface as the NAT ATM0 Vlan Configuring a LAN with Dhcp and VLANsVLANs Configure Dhcp Import all Default-router address address2 ...address8Dns-server address address2 ...address8 Domain-name domain Router# show ip dhcp import Verify Your Dhcp ConfigurationIp dhcp pool Verify Your Vlan Configuration Configure VLANsVlan ? Example Vlan Router# show vlan-switch Switch Port Configurations Vlan Trunking Protocol VTP 802.1x Authentication Switched Port Analyzer Span Maximum Switched Virtual Interfaces SVIsIP Multicast Switching Layer 2 Interfaces Fallback Bridging Per-Port Storm ControlSeparate Voice and Data Subnets Igmp Snooping Internet Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco Easy VPN Configure the IKE Policy Crypto isakmp client configuration group Configure Group Policy InformationGroup-name default Key name Ip local pool default poolname Apply Mode Configuration to the Crypto Map Configure IPSec Transforms and Protocols Enable Policy Lookup Configure the IPSec Crypto Method and Parameters Reverse-route Apply the Crypto Map to the Physical InterfaceCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discover Crypto map map-name Create an Easy VPN Remote Configuration Crypto ipsec client ezvpn name outside inside Verifying Your Easy VPN Configuration Crypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE VPNs GRE Tunnels Configure the IKE Policy Configure a VPNAlso enters Internet Security Association Key Example uses 168-bit Data Encryption Group 1 2 Configure Group Policy InformationLifetime seconds Exits IKE group policy configuration mode, Enable Policy LookupEnters global configuration mode Specifies group domain membership Method used to do so Configure IPSec Transforms and ProtocolsSpecifies global lifetime values used when Negotiating IPSec security associations Creates a dynamic crypto map entry, and enters Configure the IPSec Crypto Method and ParametersCreates source proxy information for the crypto Map entry Apply the Crypto Map to the Physical Interface Configure a GRE TunnelMap Applies the crypto map to the interface Exits interface configuration mode, and returns to Tunnel interface must be configured toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto map Configuration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Router with Firewall Configured Configuring a Simple Firewall Fast Ethernet LAN interface the inside interface for NAT Series integrated services router, respectivelyProtected network Unprotected network Configure Inspection Rules Configure Access ListsCreates an access list which prevents Internet Details about this command Assigns the set of firewall inspection rules to Apply Access Lists and Inspection Rules to InterfacesInside interface on the router Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential 1shows a wireless network deployment Configuring a Wireless LAN Connection Configuring a Wireless LAN Connection Configure the Root Radio Station User attempting access to the wireless LAN Sets the permitted authentication methods for aExits Ssid configuration mode, and enters Interface configuration mode for the wireless Station-role repeater root Configure Bridging on VLANsBridge number crb irb mac-address-table Bridge-group number Enables Ieee 802.1q encapsulation on Configure Radio Station SubinterfacesSpecified subinterface Assigns a bridge group to the subinterface Exits subinterface configuration mode, No bridge-group 3 unicast-flooding Interface Vlan1 Router# show running-config Sample Configuration10-1 Ip dhcp pool vlan3 10-2 10-3 10-4 10-5 10-6 11-1 Additional Configuration Options 11-2 Configuring Additional Features and Troubleshooting Page Authentication, Authorization, and Accounting Configuring Security Features12-1 Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL Type Access Groups Configuring a Cbac FirewallGuidelines for Creating Access Groups Ip access-group number name in out Configuring VPNs Configuring Cisco IOS Firewall IDS12-4 Dial Backup Feature Activation Methods Configuring Dial Backup and Remote ManagementBackup Interfaces 13-1 Floating Static Routes Configuring Backup Interfaces13-2 Enables RIP routing Configuring Floating Static Routes13-3 Dialer Watch Configuring Dialer WatchSpecifies the group number for the watch list 13-4 Dial Backup Type Possible? Dial Backup Method Limitations Dial Backup Feature Limitations13-5 13-6 13-7 13-8 Example 13-3 Configuring Dial Backup Using Dialer Watch 13-9 Configure Isdn Settings 13-10 Ip address negotiated Access-groupDialer pool number Dialer-group group-number For your Cisco router during the ATM network downtime Configure the Aggregator and Isdn Peer Router13-12 13-13 Asynchronous Interface Configuration 13-14 13-15 Line Configuration 13-16 Getting Started TroubleshootingBefore Contacting Cisco or Your Reseller 14-1 Shdsl Troubleshooting Adsl TroubleshootingPortFast Troubleshooting 14-2 Ping atm interface Command ATM Troubleshooting CommandsShow interface Command 14-3 Output Cause Shutdown command14-4 14-5 Show atm interface CommandRouter# show atm interface atm Guidelines for Using Debug Commands Debug atm CommandsDebug atm errors Command Field Description Router# debug atm errors ATM errors debugging is on Router# Debug atm events Command14-7 Router# debug atm events Router# Where the keywords are defined as follows Debug atm packet CommandOptional ATM interface or subinterface number Example 14-7shows a sample output Recovering a Lost Password Software Upgrade MethodsATM0 14-9 14-10 Change the Configuration RegisterRouter# show version Router# show startup-config Reset the RouterPress Return. The following prompt appears Prompt changes to the privileged Exec prompt Reset the Configuration Register Value Reset the Password and Save Your Changes14-12 14-13 Managing Your Router with SDM 14-14 Reference Information Page One of the configuration topic chapters in this guide Configuring the Router from a PCCisco IOS Software Basic Skills PC Operating System Software Understanding Command Modes As interface atm ExecCtrl-Z Getting Help Configuration mode Routing protocol AppropriateRouter Enter one of the router Router rip, from Entering Global Configuration Mode Enable Secret Passwords and Enable PasswordsYou can now make changes to your router configuration Abbreviating Commands Using CommandsUndoing Commands Command-Line Error Messages Where to Go Next Saving Configuration ChangesSummary OL-6426-02 Adsl Concepts Routing Protocol Options Network Protocols Protocol Ideal Topology Metric Routing Updates PPP Authentication ProtocolsEnhanced Igrp RIP PAP Ethernet Network Interfaces Backup Interface Dial BackupDialer Interface NAT Easy IP Phase IP Precedence QoSPPP Fragmentation and Interleaving Low Latency Queuing Cbwfq Access Lists OL-6426-02 Config-reg EnableResets the configuration register ROM Monitor Exits global configuration mode ROM Monitor CommandsReload Descriptions section in this appendix Disaster Recovery with Tftp Download Command DescriptionsTftp Download Command Variables Command Description Required Variables Variable CommandOptional Variables TFTPTIMEOUT= time Using the Tftp Download CommandTFTPCHECKSUM= setting Retrytimes Changing the Configuration Register Manually Configuration RegisterChanging the Configuration Register Using Prompts Rommon 1 confreg Console Download Command Description Error Reporting Debug CommandsContext-Displays processor context for example Frame-Displays an individual stack frame Exiting the ROM Monitor OL-6426-02 Port Keyword Description Common Port Assignments NETBIOS-DGM NETBIOS-NSNETBIOS-SSN Finger See AAL See ARPSee ATM IN-1 See CAR See ChapIN-2 IN-3 Dhcp See also examples Experience, user Extended access list Overview B-11Ethernet B-5 Events, ATM, displaying GRE See NCP See LCPIN-5 See PVC See PAPSee PPP See Ipcp See NAT See RIPIN-7 See UDP Upgrading software, methods for 14-9User Datagram ProtocolIN-8